White paper:

Legislation & regulation

Fraud fighters from all parts of the United States met at the National
Insurance Fraud Forum in Washington, D.C., June 5-7, 2000 to set a
fraud-fighting agenda for the next five years. Their accomplishments included
identifying key fraud fighting goals in dealing with legislation and regulation
at the state and federal levels and proposing a list of specific developments
on which to focus.

Proposed new statutes and regulations frequently threaten the industry's
fraud fighting programs and the ability of fraud fighters to access information
necessary to pursue insurance fraud offenders. A fundamental shift is occurring
in government's approach to management and oversight of claims and
investigative data. Traditionally, the business of insurance has been regulated
by state governments. Insurance crimes, for the most part, have been state
crimes. Accordingly, privacy protections and other restrictions on access to
and use of data have been found in state laws and industry self-regulation.

Then came 1999 — and a new federal government preoccupation with privacy.
The general approach has been to create new federal limitations, not to replace
state limitations, but to set a nationwide floor of privacy protection. Several
states are now trying to outdo each other in cutting off access to information
about their citizens.

On the federal privacy front, there were three noteworthy developments in
1999.

First, Congress considered, but did not pass, extremely broad and extremely
stringent new limitations on the use of personally identifiable information
related to health care. Several of the bills introduced in Congress by Sen. Ted
Kennedy (D-MA) and others would generally have prohibited use or disclosure of
such basic fraud-fighting data as the fact that Joe Smith submitted claims for
treatment by the XYZ Neck Pain Clinic. None of those bills passed. New federal
regulations have been proposed, but not yet adopted.

Second, Congress enacted the Gramm-Leach-Bliley Act, also known as the
financial services reform bill. A dispute over data access nearly derailed the
bill. Congress established a general rule that insurance companies may not make
customer information available to non-affiliates without first giving the
customer the right to "opt out" of any such information sharing. Regulations to
implement the new law, published May 24, 2000, allow information to be shared
for fraud fighting.

The third development involved use of motor vehicle and driver license
records. A Senate subcommittee approved legislation flatly prohibiting any
state from giving any such information to NICB for any purpose, but NICB
succeeded in carving out an exception for anti-fraud activities before the bill
was signed into law.

Discussion Topics

The discussion group on legislation and regulation covered the following
three major subjects in detail:

Patients will be allowed to "request broad restrictions on further .
. . disclosures to particular persons."

Disclosure is allowed for "law enforcement purposes" only if
"pursuant to process," "for identifying purposes," when "about a victim
of crime or abuse," for "national security" or "health care fraud."

There is no specific exemption for covered entities to disclose
information for use in fighting insurance fraud other than health care
fraud.

The proposed rule may leave the mistaken impression that insurance
claimants seeking reimbursement for medical expenses and payment for
pain and suffering may try to prevent insurance company use of
individually identifiable information to detect and deter insurance
fraud.

NICB has proposed a one-sentence addition to the list of
circumstances for which disclosure is permitted, which would avoid
confusion and ensure that unscrupulous individuals do not seek to
misuse the privacy standards.

HHS plans to finalize privacy regulations for health-related
information later this year.

Motor vehicle records: new legislation eliminating exemptions from the
prohibition on disclosure?

Privacy Commission: a comprehensive and detailed effort to overhaul
state and federal privacy laws and industry practices?

Future Focus

As a result of those discussions, the Fraud Forum identified the following
10 areas on which to focus during the next five years:

(1) Globalization

The internet has opened new opportunities for fraud. Other nations have
online privacy restrictions ranging from nothing to extremely strict (e.g.,
European Community standards). Regardless of how the state vs. federal issues
(discussed below) settle out, the U.S. needs to avoid being governed by the
world's least common denominator (e.g., EC privacy restrictions).

(2) State vs. Federal Law

Which level of government is regulating what? Will the business of insurance
soon fall under federal regulation (abrogation of McCarran-Ferguson)? Does the
NAIC's Insurance Information Privacy Protection Model Act have a future? Will
the states agree on the desirability of uniformity in enforcement and
implementation of the FTC/financial privacy regs, the HHS health information
standards and the DPPA?

(3) Industry Consolidation

New abilities to share information among affiliated companies was a key
reason to update the statutes governing the securities industry and other
financial services laws. The insurance industry needs to draw a hard line
against the Shelby/Clinton efforts to restrict sharing among affiliated
companies.

(4) Integrated Products

If insurers lose the ability to share information across product lines, they
also may lose the ability to offer integrated products — once again, in
conflict with the basic purposes of the GLBA.

(5) Professional Organizations

If states restrict the ability to fight fraud, they should also insist that
doctors and lawyers be regulated more closely; the industry can in the meantime
raise public awareness about what a failure professional self-regulation has
been in insurance fraud.

(6) Privacy Advocates

Insurance industry needs to build bridges to the privacy advocacy groups
that are driving developments in Congress.

(7) Congress

Members of Congress need to be educated about how fraud works and why data
access is essential to fight it; the grassroots network — especially local law
enforcement — needs to be primed and ready to go on a moment's notice.

(8) State Legislators

State legislators need to be educated about how fraud works and why data
access is essential to fight it; the grassroots network — especially local law
enforcement — needs to be primed and ready to go on a moment's notice.

(9) Immunity

Need to monitor status and effectiveness of state immunity statutes and
consider federal immunity provision.